Friday’s cyberattack is a shot-over-bow for healthcare (updated)

click to enlargeFriday’s multiple distributed denial-of-service (DDoS) attacks on Dyn, the domain name system provider for hundreds of major websites, also hit close to home. Both Athenahealth and Allscripts went down briefly during the attack period. Athenahealth reported that only their patient-facing website was affected, not their EHRs, according to Modern Healthcare. However, a security expert from CynergisTek, CEO Mac McMillan, said that Athenahealth EHRs were affected, albeit only a few–all small hospitals.

A researcher/spokesman from Dyn had hours before the attack presented a talk on DDoS attacks at a meeting of the North American Network Operators Group (NANOG)

The culprit is a bit of malware called Mirai that targets IoT–Internet of Things–devices. It also took down the (Brian)KrebsOnSecurity.com blog which had been working with Dyn on information around DDoS attacks and some of those promoting ‘cures’. According to Krebs, the malware first looks through millions of poorly secured internet-connected devices (those innocent looking DVRs, smart home devices and even security devices that look out on your front door) and servers, then pounces via using botnets to convert a huge number of them to send tsunamis of traffic to the target to crash it. According to the Krebs website, it’s also entwined with extortion–read, ransomware demands. (Click ‘read more’ for additional analysis on the attack)

Here we have another warning for healthcare, if ransomware wasn’t enough. According to MH, “even for those hospitals with so-called “legacy” EHRs that run on the hospital’s own computers, an average of about 30 percent of their information technology infrastructure is hosted by an outside company and provided over the internet.” All too many of these hospital monitors run on outdated software with no to little protection from hackers [The happy hackfest instigated inhouse by Essentia Health in 2014 proves the point; from last year, here is the warning that all these outdated devices are Typhoid Marys spreading infection through hospital networks]. St Jude Medical has of late had to answer charges that its pacemakers and other cardiac devices are vulnerable to hacking–which short-sellers have used to drive down its stock pending its acquisition by Abbott Laboratories. Modern Healthcare

The answer? Everywhere. The universal conclusion is that this particular Mirai malware-caused DDoS is but a test for the next waves, and next malware, to come. ZDNet

Updated: 5 takeaways on why this matters from TechRepublic, including the ‘layered’ nature of the Dyn attack which went from the US East Coast to worldwide over a matter of hours, and the urgent need to patch, update or toss IoS devices. And if you want a glimpse into the Hacker Life and their ethics (which justify hacks against the Daesh (better known as ISIS), the KKK, Fox News, CNN, both political parties, and the US military, ahem), read an interview published by TR with S1ege of the group Ghost Squad Hackers. (Take the latter with a box of salt!)

Our definitions

Telehealth and Telecare Aware posts pointers to a broad range of news items. Authors of those items often use terms 'telecare' and telehealth' in inventive and idiosyncratic ways. Telecare Aware's editors can generally live with that variation. However, when we use these terms we usually mean:

• Telecare: from simple personal alarms (AKA pendant/panic/medical/social alarms, PERS, and so on) through to smart homes that focus on alerts for risk including, for example: falls; smoke; changes in daily activity patterns and 'wandering'. Telecare may also be used to confirm that someone is safe and to prompt them to take medication. The alert generates an appropriate response to the situation allowing someone to live more independently and confidently in their own home for longer.

• Telehealth: as in remote vital signs monitoring. Vital signs of patients with long term conditions are measured daily by devices at home and the data sent to a monitoring centre for response by a nurse or doctor if they fall outside predetermined norms. Telehealth has been shown to replace routine trips for check-ups; to speed interventions when health deteriorates, and to reduce stress by educating patients about their condition.

Telecare Aware's editors concentrate on what we perceive to be significant events and technological and other developments in telecare and telehealth. We make no apology for being independent and opinionated or for trying to be interesting rather than comprehensive.